Sven’s respose from a locked thread:
Starting a new thread, bases on this reply:
as many obstacles in the attackers’ paths
The entire point was that for an attacker commanding a Xen 0-day
obtaining root privileges is not an obstacle. And that’s the only form
of attack where the whole discussion about passwordless root even makes
Think about it:
- the attacker is already executing code on your machine
- can already persist in your home directory
- any changes that attacker could make through root privileges DO NOT
So giving the attacker passwordless root access in a standard qube
doesn’t change a thing. Hence all it really is at that point is a UX
Standalone qubes are a different topic, as are templates in which you
are hopefully never execute anything besides ‘apt’ or ‘dnf’.
It’s not a matter of making users (or maybe just me) feel good, as no
one has yet been able to make an argument to convince me that the
costs of sudo prompt (UX or otherwise) outweigh the security
Ok, I am up for that discussion. Please tell me which security benefits
sudo prompt affords you in a standard AppVM qube setup. My goal will be
to prove to you that there are none, and hence it’s just a hurdle.
I’ve been told to “agree to differ” by one of the more technical and
respected members of the community, but that’s hard to swallow
especially when it comes from someone with his level of knowledge.
Only if you assume that you are right. Could it be that the “more
technical and respected members of the community” understands something
that you don’t? I’d at least consider it.
Would this be a good point to split the thread
Done. I just see @deeplow made a new thread here:
So feel free to answer there. I’ll lock this one to avoid duplicate threads.
and make a poll?
About? The root thing? It’s not up for vote: it’s a technical question
not a matter of opinion.
This was a helpful response.
To paraphrase for others like me: An attacker who is already in position to escalate privileges can already attack Xen, provided she has an exploit. Otherwise, she is trapped by the compartmentalization of Qubes, and what she has access to is ultimately the user’s responsibility. Therefore, sudo prompt offers no benefits in that scenario–it isn’t a beachhead for an attack on Xen, since someone who can escalate already has a functionally identical beachhead. However, this doesn’t apply to standalones since they lack both disposability and often compartmentalization.
I wasn’t thinking with Qubes and was so focused on the traditional model that I kept seeing PE as a common gateway to arbitrary code execution and maybe even remote code execution. I did some light reading around the issue (time constraints) and what I found agreed with this understanding (e.g. This csoonline article), but the focus of these articles are obviously not Qubes, with its radically different architecture.
About a poll: I wasn’t trying to bring change to Qubes through something like a binding referendum, but rather wanted to see what other users thought about the issue and prompt some debates (pun not intended)–sudo prompt is one of the first things I enable on new systems, and it’s a short process (especially with scripts), so not having it as the default doesn’t really affect me.
I completely understand that one doesn’t engineer systems based on popular votes–that’d be a recipe for disaster. If the US had people vote on technical specifications of space shuttle parts we’d end up with spacecraft that aren’t even fit for the Kerbal Space Program, with all given variants of the name ‘Launchy McLaunchFace’. However, one shouldn’t completely discount the use of a poll on a forum that has self-selected a group of interested people, so this isn’t exactly a poll of the whole internet. The arguments for and against might also yield insights, like in some democratic debates, and so shouldn’t be waved off. Others also had good points, but I want to mention that the mindset of waving off something as it’s “not necessarily required to attack dom0” or Xen is dangerous. Even though I concede that I was wrong, I do want to say that the history of exploits should show that it is often the seemingly unimportant that morph and combine into disasters (or opportunities, depending on where you stand).
Since we’re on the topic of VM security, what do you make of Qubes-VM-hardening, which is bundled with an
configure-sudo-prompt script? It seems widely used, but does it really provide more protection given the logic that an attacker who could execute code is in position to do much worse?